OGN Challenge #7

This challenge can be found where Roanoke gives Wheeler a wallet ID.

The Setup

Wheeler wants to transfer the funds from the card, but we need some personal information. The account seems to be linked to Darius Gift, who had an obituary published recently. Can you gather the information we need and gain access to the funds?

You'll find two key pieces in the comic and on the webpage:

A barcode containing encoded card data
A link to Tropic Bank's transfer form

The challenge also provides this Python script (encoder.py):

# pip install msgpack 
import msgpack
import base64

card_data = {
    "card": 12345678900000,
    "pin": "1a2b3c"
}

packed = msgpack.packb(card_data)
encoded = base64.b64encode(packed)

# https://gchq.github.io/CyberChef/#recipe=To_MessagePack()To_Base64('A-Za-z0-9%2B/%3D')&input=ewogICAgImNhcmQiOiAxMjM0NTY3ODkwMDAwMCwKICAgICJwaW4iOiAiMWEyYjNjIgp9&oeol=VT

What the Bank Form Requires

The transfer form needs these four pieces of information:

Sender Account Number
What is the name of your current agent?
What city do you currently live in?
What is the title of your first published work?

Part 1: Decoding the Card Data

The barcode gives us encoded information. When we scan it with a barcode scanner, we get: gqRjYXJkzwAAIYgxWHbco3Bpbs0SmA==

This looks like base64-encoded data! Looking at the encoder.py script, we can see the encoding process:

Pack data with MessagePack
Encode result with Base64

To reverse this process:

Base64::encode(MessagePack::pack(data))
becomes
MessagePack::unpack(Base64::decode(data))

Using CyberChef to decode, we get:

{
    "card": 36868827150044,
    "pin": 4760
}

Perfect! The sender account number is 36868827150044.

Part 2: Finding Darius Gift's Personal Info

The remaining three security questions can be answered by locating Darius Gift's obituary in the comic. You can find it a few pages before the challenge's indicator.

Agent name: David Lebling II
Current city: Bangkok
First published work title: The Shadow Factory

Part 3: Completing the Transfer

Once we have all four pieces of information, we can fill out the Tropic Bank form and complete the fund transfer.

The interface asks us for a pin, which we have decoded previously as part of the card data: 4760.

Congrats, we've got the flag!

Hacker Mindset

Social engineering attacks often combine technical data extraction with open-source intelligence (OSINT). By finding publicly available information like obituaries, attackers can answer security questions that victims thought were private. This highlights why personal information should never be used for authentication.